0xRektora
commented
3 weeks ago That is because minting is supposed to happen only on the governance chain, which if not, we'll just skip minting.
Open hats-bug-reporter[bot] opened 3 weeks ago
0xRektora
commented
3 weeks ago That is because minting is supposed to happen only on the governance chain, which if not, we'll just skip minting.
ololade97
commented
3 weeks ago @0xRektora but is _data.governanceEid the right variable to use? As it is, _data.governanceEid is a parameter and not a variable.
Or is _data.governanceEid set somewhere I'm not seeing?
0xRektora
commented
3 weeks ago Yes it is the right one, the parameter is passed in the constructor and we check it at deploy time.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x49f7f912d008fde61c3be1d3177bc8fd25dc7135c0d0dd5d6c8046778c0f552a Severity: high
Description: Description\ The TapToken contract's constructor is performing an incorrect comparison when determining minting on the governance chain.
The issue lies in the usage of an uninitialized struct property - _data.governanceEid.
The _data.governanceEid property is never initialized or assigned a value before being passed to the constructor. As a result, _data.governanceEid will have its default value of 0.
Note that _data.governanceEid is passed as a parameter here -
ITapToken.TapTokenConstructorData memory _dataand stored inside thegovernanceEidstate variable.Therefore, the condition if (_getChainId() == _data.governanceEid) will always evaluate to false. As a result, no minting would be done.
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments https://github.com/hats-finance/Tapioca-0xe0b920d38a0900af3bab7ff0ca0af554129f54ad/blob/baddafc15616a5674e73c2f5a920b92bf9b21888/contracts/tokens/TapToken.sol#L154
if (_getChainId() == governanceEid)